Exchange and the active directory
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Exchange and the Active Directory PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

Exchange and the Active Directory. MSG 300. Eileen Brown IT Pro Evangelist Microsoft UK [email protected] http://blogs.technet.com/eileen_brown. Agenda. Internals of Exchange AD management Active Directory 101 Storing Exchange data in AD

Download Presentation

Exchange and the Active Directory

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Exchange and the active directory

Exchange and the Active Directory

MSG 300

Eileen Brown

IT Pro Evangelist

Microsoft UK

[email protected]

http://blogs.technet.com/eileen_brown


Agenda

Agenda

  • Internals of Exchange AD management

    • Active Directory 101

    • Storing Exchange data in AD

    • Creating, managing and maintaining Exchange information in AD

    • Permissions needed to run Exchange

    • Reading information from AD

      • DSAccess

      • DSProxy

    • Three common problems


Exchange and the active directory

Active Directory 101


Active directory 101 the storage

Active Directory 101The Storage

  • Active Directory is a database

    • Easy to locate, access, and read information

    • Common set of objects

    • Hierarchy and Permission Model for accessing and managing objects

    • Integrated with Windows security


Active directory 101 naming contexts

Active Directory 101Naming Contexts

Available on:

Contains:

Schema Objects Definitions

All AD Controllers (DCs/GCs)

Schema

NC

Replication Topology,

Domains, Servers

All DCs in forest

Configuration NC

All DCs in the same domain

Users, Groups,

Contacts

Domain NC

Specific DCs in forest

Application Data

Application NC


Active directory 101 makeup of a forest

Config

Config

DC

DC

Config

Config

Config

Config

DC

DC

DC

DC

GC

GC

Active Directory 101Makeup of a forest

dom1.contoso.com

dom2.contoso.com


Active directory 101 windows sites

Active Directory 101Windows sites

Site Connector

  • Group of servers with good connectivity

    • One site can span multiple domains

    • One domain can have multiple sites


Active directory 101 what s new in windows 2003

Active Directory 101What’s New in Windows 2003?

  • Schema deactivation

    • Deactivation of core Exchange attributes is not supported

  • When in forest and domain functional level 2

    • Group membership replication improvements

    • Inter Site Replication Topology Generator

    • Domain Rename

  • Application naming context


Exchange and the active directory

Storing Exchange data in AD


Where exchange data is stored in ad

Where Exchange data is stored in AD

  • Domain NC for Recipients

    • Mailboxes, DLs, and Contacts

      • Most Exchange information placed in this container is replicated to GCs

  • Configuration NC for everything else

    • Exchange System Objects (Stores, Connectors, Etc.)

    • Active Directory Connector (ADC) settings

      • Configuration container is replicated to every DC


Storing exchange data in the ad

Storing Exchange data in the AD

  • Exchange extends AD schema to store information

    • Extends existing classes

      • Users, InetOrg-Person,...

    • Creates new classes

      • Connectors, Admin Groups,...

  • Extension done during:

    • Forest prep, Exchange Setup, and ADC setup


Storing exchange data in the ad1

3> showInAddressBook: (Link to address books);

1> msExchHomeServerName: (Dn of home server);

1> msExchMailboxGuid: <ldp: Binary blob>;

1> msExchMailboxSecurityDescriptor: <ldp: Binary blob>;

1> msExchPoliciesIncluded: (Link to recipient policies);

1> msExchUserAccountControl: 0;

Additional Core

Storing Exchange Data in the AD

>> Dn: CN=Eileen Brown,CN=Users,DC=Eileen, DC=Contoso,DC=com

1> displayName: Eileen Brown;

1> mail: [email protected];

1> homeMDB: (Dn of home store); 1> homeMTA: (Dn of MTA on home server);

1> legacyExchangeDN: /o=contoso/ou=MAIN-SITE/cn=Recipients/cn=eileen;

1> mailNickname: eileen; 4> proxyAddresses: SMTP:[email protected];

Primary


Exchange and the active directory

Creating, Managing, and MaintainingExchange information in AD


How is exchange data populated

How Is Exchange data populated?

  • From Existing systems

    • Active Directory Connector (5.5)

      • Imports information from Exchange 5.5 into AD

      • Provides ongoing two-way mapping between Exchange 5.5 and Active Directory Objects

      • ADC Inter-Org mode to create contacts from external Exchange systems

    • Foreign Connectors (Foreign Systems)

      • Foreign Connectors (Notes, ccMail, GroupWise) for other systems

    • MIIS

      • GALSynch tool to enable cross forest scenarios


How is exchange data populated 2

How Is Exchange Data Populated? (2)

  • By Exchange setup

    • Initial Configuration

  • By Administrators

    • When creating objects in AD

      • Recipient provisioning (Mailboxes, DLs, Contacts)

        • Use Active Directory Users and Computers

      • Exchange Configuration

        • Use Exchange Server Manager

    • Using scripts

      • CDOEXM recipient and configuration data


Object management the recipient update service rus

Object ManagementThe Recipient Update Service (RUS)

  • Monitor and updates recipient information

    • Enforces Recipient policies

      • Sets proxy addresses

      • Ensure Core attributes exist (home MTA, home MDB, etc.)

  • Monitor and updates address lists

  • Monitor server membership

    • Manage and maintain membership of Exchange special groups


Exchange and the active directory

Permissions needed to run Exchange


Permissions needed

Permissions needed

  • To complete setup

    • Forest prep

      • First time in the forest (updates the schema) - Member of Enterprise Admin group and Schema Admin group

      • Run ForestPrep thereafter - Exchange Full Administrator at the organisation level

    • Domain prep - Domain Administrator

    • Server setup

      • Install the first server in a domain - Exchange Full Administrator at organisation level

      • Install additional servers in the domain - Exchange Full Administrator at administrative group level

  • To manage recipients

    • Permissions to read and write the Exchange attributes - Account Operator

  • To manage configuration

    • Permissions to read and write to objects in the Exchange container for management - Exchange Admin


Permissions needed granting admins permissions

Permissions neededGranting admins permissions

  • The Exchange Delegation Wizard

    • Tool to set appropriate permissions within the Exchange configuration container

    • Allows for three levels

      • Exchange Full Administrator

      • Exchange Administrator

      • View Only Administrator

  • Active Directory Users and Computers

    • Tool to grant admins permissions to manage accounts


Permissions needed by servers

Permissions Needed… By Servers

  • To Access and manage recipients

    • Permissions to read and write to the Exchange attributes to route mail, and update account information

  • To Access Configuration

    • Permissions to read and write to objects in the Config Naming Context for lookup and reporting


Permissions needed granting server permissions

Permissions Needed… Granting Server Permissions

  • Uses two groups together to provide forest-wide access

    • Exchange Domain Servers (EDS)

      • Global Group in each domain

      • Contains the Exchange Servers in that domain

      • Permissions to the Exchange container

    • Exchange Enterprise Servers (EES)

      • Local Group in each domain

      • Contains the “Exchange Domain Servers” from all domains

      • Has permissions to recipient objects for that domain

Issue: Is permission overlap between AD and Exchange administrators ok?


Split ad and exchange admin resource forest

Split AD and Exchange Admin resource forest

Resource ForestOption

  • Account forest for managing user accounts

    • AD admins in charge of managing user accounts

    • No schema extension

  • Exchange resource forest for managing Exchange

    • Exchange recipient information

    • Exchange configuration data

  • Setting up mailbox

    • Use Exchange task ‘Associate External Account’ to setup mailbox

AccountForest

User A

trust

ExchangeResourceForest

Disabled placeholderaccount for User A


Exchange and the active directory

Reading Information from AD


Reading information from ad information needed in ad

Reading Information from AD Information needed in AD

  • Exchange needs to deliver messages and access configuration

    • Domain Controllers (DC): System/Server configuration

    • Global Catalogs (GC): Mailbox/Recipient information

  • Messaging clients need an address book

    • Outlook (MAPI) clients interface directly into Global Catalogs address book information

    • Other clients use LDAP access to search Active Directory


Reading information from ad dsaccess overview

Reading Information from AD DSAccess Overview

  • Shared API to Access Active Directory

    • Provides access to both configuration and recipient data

  • Provides a shared memory cache

    • Reduces load on Active Directory

    • Increases performance for messaging operations

  • Automatic topology discovery


Reading information from the ad building topologies dsaccess roles

Reading Information From the AD Building Topologies - DSAccess Roles

  • Working DC’s list

    • List of Domain Controllers that can accept Domain Naming Context queries for the local domain

    • Selection criteria

      • Domain Prepped Domain, Local AD site over remote site

  • Configuration DC

    • Domain Controller used for reading and writing configuration

    • Re-evaluation every 8 hours

  • Working GC’s List

    • List of Global Catalog servers for forest-wide look-ups

    • Detected servers used by DSAccess, DSProxy and Categorizer

    • Re-evaluation every 15 minutes


Reading information from the ad roles example

E2k

E

DC

F

GC/DC

Reading Information From The AD Roles Example

DOM 1

DOM 2

  • If Exchange server is in Site A and DOM2

    • Configuration DC: A, B, C, or D

    • Working DCs: C, D, A, and B

    • Working GCs: D, and A

Site A

A

GC/DC

D

GC/DC

B

DC

C

DC

Site B


Reading information from ad failing out of site

E2k

GC

GC

GC

GC

GC

GC

GC

GC

GC

Reading Information from AD Failing out of site

IP Link

Cost = 15

IP Link

Cost = 5

X

X

IP Link

Cost = 5

SMTP Link

Cost = 5

Use all GCs from out-of-site group and load-balance

Topology re-evaluation every 5 minutes to see if fail-back can occur


Reading information from the ad dsproxy overview

Reading Information From The AD DSProxy overview

  • Helps Clients find Active Directory: (RFR interface)

    • Outlook 98 SR2 and above

  • Provides Directory data: (NSPI Proxy)

    • Outlook 98 SR1 and older clients

  • Obtains list of servers to use

    • from DSAccess


Mapi clients proxy service prior to outlook 98 sr1

Forwarded

Address

Book

Query/Logon

Address

Book

Query/Logon

Results

Results

MAPI Clients – Proxy ServicePrior to Outlook 98 SR1

  • Outlook 98 (SR1 and before), Outlook 97, Exchange 4.0 and 5.0

  • Forwards clients address book RPC packets to Windows 2000 GC in same domain as the server

  • Transparent to client

Exchange 2003 Server

Client

Global Catalog


Mapi clients referral service outlook 98 sr2 2000 and xp

GC Referral Request at

Logon or Profile

GC Referral

Address Book Query

Results

MAPI Clients – Referral ServiceOutlook 98 SR2, 2000 And XP

  • Client requests the name of the GC to use from an Exchange server

  • GC is used for all Address Book queries

  • Outlook 98 SR2, and 2000 only requests GC at profile creation time or after a restart (GC failure)

  • Outlook 2000 SR2, XP requests GC at each logon

Exchange 2003 Server

Client

Global Catalog


Ad load breakdown

AD Load Breakdown

  • Slice by Active Directory server role

    • 80/20 GC to DC Loading

  • Slice by process – DSAccess – 60%

    • 30% to Config DC

    • 5% to Working DCs

    • 65% to Working GCs

  • Slice by process – Categorizer – 30%

    • 100% to Working GCs

  • Slice by process – DSProxy – 10%

    • 100% to Working GCs


Exchange and the active directory

Three common problems


Three common problems 1 basic gc dc misplacements

Three common problems (1)Basic GC/DC misplacements

  • Examples

    • Customer places all GCs/DCs in Windows “Default” site

    • Customer places Exchange in a remote locations with no GC/DC

  • Possible Symptoms

    • Service failures, slow message handling/routing, large message queues, poor performance, etc.

  • Solution

    • Education, understanding of GC placement so that GCs are close to client/server


Three common problems 2 incorrect gc dc failover

Three common problems (2)Incorrect GC/DC failover

  • Example

    • Exchange in a site with no connected sites and a single GC

    • Not setting site links appropriately

  • Possible Symptoms

    • Overload of a single GC, overload of network bandwidth, failure to find a GC, causing service failures, slow lookups, message queues, etc.

  • Solution

    • Understand site link costs effect, and set accordingly

    • Plan for GC redundancy


Three common problems 3 dns to ad mismatches

Three common problems (3)DNS To AD mismatches

  • Examples

    • Customer creates 2 GCs in a site, but DNS only has one entry

  • Symptoms

    • Overload of other GCs, failover to out-of-site GC/DS even when GC/DC in site is available

  • Solution

    • NetDiag can help determine what is broken and update DNS


In summary

In summary

  • Internals of Exchange AD management

    • Active Directory 101

    • Storing Exchange data in AD

    • Creating, managing and maintaining Exchange information in AD

    • Permissions needed to run Exchange

    • Reading information from AD

      • DSAccess

      • DSProxy

    • Three common problems


Community resources

Community Resources

  • Community Resources

    • http://www.microsoft.com/communities/default.mspx

  • Most Valuable Professional (MVP)

    • http://www.microsoft.com/communities/mvp

  • Newsgroups

    • Converse online with Microsoft Newsgroups,including Worldwide

    • http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx

  • User Groups - Meet and learn with your peers

    • http://www.microsoft.com/communities/usergroupsdefault.mspx


Knowledge needed knowledge applied

Knowledge Needed. Knowledge Applied.

Microsoft Products and Services for Lifelong Learning

  • Assess your skills

  • Take an eLearning course

  • Subscribe to Microsoft TechNet

  • Get the latest information on IT Pro and Developer Books to purchase online or at your local bookstore

  • Find the course right for you and a Microsoft Certified Partner for Learning Solutionsin your area

  • Learn about the Microsoft certifications that can enable and advance your careerwww.microsoft.com/learning - Learn more. Go Further


Exchange and the active directory

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


  • Login